Everything but tests

Signed-off-by: Stephen Crawford <[email protected]>
opensearch-project · Sep 7, 2023 · bd10ee3 · bd10ee3
1 parent 1034cef
commit bd10ee3
Show file tree

Hide file tree

Showing 7 changed files with 45 additions and 1 deletion.
diff --git a/config/internal_users.yml b/config/internal_users.yml
@@ -11,7 +11,7 @@ _meta:
 ## Demo users
 
 admin:
-  hash: "$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG"
+  hash:
   reserved: true
   backend_roles:
   - "admin"

diff --git a/config/opensearch.yml.example b/config/opensearch.yml.example
@@ -38,6 +38,10 @@ plugins.security.authcz.admin_dn:
 # BOTH - backend roles are mapped to Security roles mapped directly and via roles_mapping.yml in addition
 plugins.security.roles_mapping_resolution: MAPPING_ONLY
 
+# Specify the default password for the admin user
+# Note: This setting is required for using the default admin user account
+plugins.security.authcz.admin.password:
+
 ############## REST Management API configuration settings ##############
 # Enable or disable role based access to the REST management API
 # Default is that no role is allowed to access the REST management API.

diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
@@ -1205,6 +1205,9 @@ public List<Setting<?>> getSettings() {
                                                                                                                             // here
 
             settings.add(Setting.simpleString(ConfigConstants.SECURITY_CERT_OID, Property.NodeScope, Property.Filtered));
+            settings.add(
+                Setting.simpleString(ConfigConstants.SECURITY_AUTHCZ_ADMIN_DEFAULT_PASSWORD, Property.NodeScope, Property.Filtered)
+            );
 
             settings.add(
                 Setting.simpleString(
@@ -1827,6 +1830,7 @@ public void onNodeStarted(DiscoveryNode localNode) {
             cr.initOnNodeStart();
         }
         this.localNode.set(localNode);
+        this.userService.setDefaultAdminPassword(settings.get(ConfigConstants.SECURITY_AUTHCZ_ADMIN_DEFAULT_PASSWORD, "admin"));
         final Set<ModuleInfo> securityModules = ReflectionHelper.getModulesLoaded();
         log.info("{} OpenSearch Security modules loaded so far: {}", securityModules.size(), securityModules);
     }

diff --git a/src/main/java/org/opensearch/security/support/ConfigConstants.java b/src/main/java/org/opensearch/security/support/ConfigConstants.java
@@ -139,6 +139,7 @@ public class ConfigConstants {
     public static final String SECURITY_INTERCLUSTER_REQUEST_EVALUATOR_CLASS = "plugins.security.cert.intercluster_request_evaluator_class";
     public static final String OPENDISTRO_SECURITY_ACTION_NAME = OPENDISTRO_SECURITY_CONFIG_PREFIX + "action_name";
 
+    public static final String SECURITY_AUTHCZ_ADMIN_DEFAULT_PASSWORD = "plugins.security.authcz.admin.password";
     public static final String SECURITY_AUTHCZ_ADMIN_DN = "plugins.security.authcz.admin_dn";
     public static final String SECURITY_CONFIG_INDEX_NAME = "plugins.security.config_index_name";
     public static final String SECURITY_AUTHCZ_IMPERSONATION_DN = "plugins.security.authcz.impersonation_dn";

diff --git a/src/main/java/org/opensearch/security/user/UserService.java b/src/main/java/org/opensearch/security/user/UserService.java
@@ -314,4 +314,37 @@ public static void saveAndUpdateConfigs(
             throw ExceptionsHelper.convertToOpenSearchException(e);
         }
     }
+
+    /**
+     * This method updates the default admin password by modifying the internal user store on node start.
+     *
+     * @param plainTextPassword The default password to be used -- specified in the opensearch.yml file
+     */
+    public void setDefaultAdminPassword(String plainTextPassword) {
+        final SecurityDynamicConfiguration<?> internalUsersConfiguration = load(getUserConfigName(), false);
+
+        try {
+
+            if (!internalUsersConfiguration.exists("admin")) {
+                throw new UserServiceException(FAILED_ACCOUNT_RETRIEVAL_MESSAGE);
+            }
+
+            DefaultObjectMapper mapper = new DefaultObjectMapper();
+            JsonNode accountDetails = mapper.readTree(internalUsersConfiguration.getCEntry("admin").toString());
+            final ObjectNode contentAsNode = (ObjectNode) accountDetails;
+            contentAsNode.put("hash", hash(plainTextPassword.toCharArray()));
+
+            internalUsersConfiguration.remove("admin");
+            contentAsNode.remove("name");
+            internalUsersConfiguration.putCObject(
+                "admin",
+                DefaultObjectMapper.readTree(contentAsNode, internalUsersConfiguration.getImplementingClass())
+            );
+            saveAndUpdateConfigs(getUserConfigName().toString(), client, CType.INTERNALUSERS, internalUsersConfiguration);
+        } catch (IOException e) {
+            throw ExceptionsHelper.convertToOpenSearchException(e);
+        } catch (UserServiceException e) {
+            throw ExceptionsHelper.convertToOpenSearchException(e);
+        }
+    }
 }
diff --git a/tools/install_demo_configuration.bat b/tools/install_demo_configuration.bat
@@ -318,6 +318,7 @@ echo plugins.security.check_snapshot_restore_write_privileges: true >> "%OPENSEA
 echo plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"] >> "%OPENSEARCH_CONF_FILE%"
 echo plugins.security.system_indices.enabled: true >> "%OPENSEARCH_CONF_FILE%"
 echo plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-ml-connector", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".ql-datasources", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models", ".geospatial-ip2geo-data*", ".opendistro-job-scheduler-lock"] >> "%OPENSEARCH_CONF_FILE%"
+echo plugins.security.authcz.admin.password: admin >> "%OPENSEARCH_CONF_FILE%"
 
 :: network.host
 >nul findstr /b /c:"network.host" "%OPENSEARCH_CONF_FILE%" && (

diff --git a/tools/install_demo_configuration.sh b/tools/install_demo_configuration.sh
@@ -386,6 +386,7 @@ echo "plugins.security.check_snapshot_restore_write_privileges: true" | $SUDO_CM
 echo 'plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null
 echo 'plugins.security.system_indices.enabled: true' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null
 echo 'plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-ml-connector", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".ql-datasources", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models", ".geospatial-ip2geo-data*", ".opendistro-job-scheduler-lock"]' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null
+echo "plugins.security.authcz.admin.password: admin" | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null
 
 #network.host
 if $SUDO_CMD grep --quiet -i "^network.host" "$OPENSEARCH_CONF_FILE"; then